Matthew Schalit wrote: > Victor McAllisteer wrote: > > > > > This is some crazy method of geographic load balancing. A whole lot of > > boxes use TCP port 53 simultaneously to find out what part of the world. > > Victor, wouldn't the load balancing we've seen over the > last months that hits port 53 by SYN traffic? Why > are all his log entries refering to non-SYN traffic, > i.e. responses? > > Matthew
There was a lot of list traffic back in May on the LRP list concerning these port 53 weirdness. My understanding is that tcp port 53 to port 53 is usually a zone transfer. Leaf boxes running tiny DNS will not respond to tcp queries. I believe a number of list members analyzed this stuff using resources beyond just the log entries. It comes all at once from many different IPs. The same IPs always show up repeatedly in the space of a few seconds.. They fill the logs - often with 600 DENYs in a period of 10 seconds or less. Someone traced the ownership of the machines. Apparently it is some sort of proprietary method of determining which machine you are closest to geographically so they can serve up some pop up ad efficiently (for them). DENY (no response) doesn't seem to prevent the pop up ads. Perhaps if they can't get you to send them back a packet, they end up serving the pop up from some default machine. Those who pay for this "technology" should have their head examined. _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
